A kerberos for all?

Kerberos , the keeper of the gates of Dell, I mean Hell.

In this rainy sunday night, I was reading an article about passwords. And they are right about saying that passwords are not a real defense in security for your business. Believe me, your secretary got a password written down under her keyboard, and the CFO of your bank, got the password that hold all your savings, written down in a post it , just in the top of his monitor.

So, how we fix the problem? . Well, the problem right now is fixed by forcing those users to change the passwords any other month, and not letting them write simple passwords as 123456.

What you are going to get (if you are the poor network admin) is a number of calls, originated by an 8th tier error, saying that they cannot log in in the system, that they can’t work , that how is possible that this network never work, shame on you , this is ridiculous, we curse you.. and all this because they forgot the password. If the support calls just stop, its because everyone of them just wrote down their passwords in a very visible place in their cubicle.

What I read today remembered me a research I made about Kerberos. This line called my attention:

“In short, we need a log-on system that relies on cryptography, not mnemonics.”

You know it is possible to store a damn good long string of characters in a usb that can be used as an authentication token with other server? that’s really old and proven technology and seems to be related with ’smart cards’ wich is default in Windows Vista.

Please note the way the author try to say that vista is superior in security terms to unix and mac.. lord have mercy of his soul. (This is in the link at the end of this post)

Check this out from the FreeBSD handbook:

“Kerberos can be described as an identity-verifying proxy system. It can also be described as a trusted third-party authentication system. Kerberos provides only one function — the secure authentication of users on the network. It does not provide authorization functions (what users are allowed to do) or auditing functions (what those users did). After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.”

FreeBSD Handbook, chapter 14, security

Microsoft adopted this technology with windows xp here is a diagram.

..and microsoft

Kerberos Implementations are not for the faint of heart. But is a very reliable technology that now is out of the box and ready to go in windows domains. But about smart cards..appear in the midst of the marketing the Microsoft Page for Smart cards:

“The two largest vendors of operating systems for smart cards are MAOSCO (an industry consortium) and Microsoft. More information about the MAOSCO consortium and the MULTOS operating system for smart cards is available from http://www.multos.com.”

This just sounds ugly… can you imagine this? that you have to buy a smart card from M$ to perform your business?? ARRGGHH I just’t can’t think on this, let me see what is the saying of the linux zealots in this:

Smart cards in Italy, yes there are only .dll drivers.

In short, the above article talks about the use of smart cards in Italy , and the hard time non windows users got.

Eventually, we’ll have to kiss goodbye the ‘ol good passwords, there is an alternative on biometrics, so you password is your fingerprint, but for some reason it seems to be hard to make this a corporate standard for day to day operations.

The last link is the original article, enjoy.

Goodbye, Passwords

Share on Facebook